G’day,
We have a third party cybersecurity platform that constantly scans all our domains for vulnerabilities, my Discourse server (running 2.9.0.beta7) hosted on DigitalOcean is flagging the following NVTs and CVE’s. All of the CVE’s are related to nginx. Have I missed a process somewhere to update nginx? Appreciate any assistance.
G’day!
Unless your base image is somehow out of date (shouldn’t be possible, you’d be prevented from updating via the UI if it was), Discourse isn’t vulnerable to those nginx CVEs. You can see the version of Nginx used at discourse_docker/install-nginx at main · discourse/discourse_docker · GitHub, and looking at nginx security advisories 1.21.0+ isn’t vulnerable to CVEs listed.
How did you install Discourse? Did you follow the official install instructions? Any proxies in front of your instance?
Thanks for your quick reply Joshua,
No proxies in front of the instance.
I installed it via the 1-click Marketplace on DigitalOcean: Discourse Hosting | DigitalOcean Marketplace 1-Click App
The instance is Ubuntu 20.04.2 LTS
So we have limited support for the 1-click install. That comes from DigitalOcean, we have no control over it. Despite DigitalOcean saying “Supported By: DigitalOcean”, the Support URL sends folks here, where DO staff are not. 
Anyway, first thing I would try, to rule out a weird base image scenario, is to SSH into your droplet, and run the following:
cd /var/discourse
git pull
sudo ./launcher rebuild app
That last command will ensure you have the latest base image, as well as latest Discourse code. Warning, it will take your site down while running.
Then re-run your scanner and see what it reports.
Thanks Joshua,
I will do as you suggest and let you know.
Any feedback on the three NVTs listed?
secure Cookie AttributehttpOnly Cookie AttributeI am not personally familiar with NVTs. And Google isn’t exactly giving promising results, see NVT A-105925 - Google Search for example. Best I’m getting is results on securityspace.com, a site that, strangely enough, doesn’t use SSL/TLS itself and looks like it was built in the 90s.
Does your third-party cybersecurity platform provide more details on the 3 NVTs besides titles?
Re: the first two:
It appears the instance is improperly configured and doesn’t realise it’s serving over https.
SiteSetting.force_https = true may resolve this.
Re: the third:
This is a property of the host on which Discourse is running and needs to be fixed there.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
